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Abstract. Human memory is not perfect - people constantly memorize 
new facts and forget old ones. One example is forgetting a password, a 
common problem raised at IT help desks. We present several protocols 
that allow a user to automatically recover a password from a server using 
partial knowledge of the password. These protocols can be easily adapted 
to the personal entropy setting [7], where a user can recover a password 
only if he can answer a large enough subset of personal questions. 
We introduce client-server password recovery methods, in which the re- 
covery data are stored at the server, and the recovery procedures are 
integrated into the login procedures. These methods apply to two of the 
most common types of password based authentication systems. The secu- 
rity of these solutions is significantly better than the security of presently 
proposed password recovery schemes. Our protocols are based on a varia- 
tion of threshold encryption [5,8,17] that may be of independent interest. 

Key words: password recovery, threshold encryption scheme, private comput- 
ing, personal entropy 

1 Introduction 

People constantly memorize new facts, but also forget old ones. One quite com- 
mon example is forgetting a password. It is one of the most common problem 
raised at IT help-desks. Therefore, many systems for password recovery (PR) 
have been built. The common aim of all these systems is to provide reliable solu- 
tions for legitimate users to recover lost passwords or to receive a new password 
(i.e., resetting the old password), without significantly increasing the vulnerabil- 
ity against attackers. 

The simplest way to authenticate the user is to use an out-of-band channel, 
like a phone call, or show up physically at a system administrator. This is costly 
however, and cumbersome. More user- friendly, but less secure, is the common 
method used by many websites that store the password of the user in the clear 
and resend it to the user's email address on request. Sometimes websites require 
a user to answer some personal question, like "what is your mother's maiden 
name?" . However, this method is insecure because a password sent in cleartext 
can be easily intercepted and it is relatively easy to answer such a single question. 

Another widely used method to cope with forgetting passwords is a password 
reset system. In this system when a user forgets the password then the server 
sets a new password and emails the new password to the client (again maybe 



after answering a personal question). Now the legitimate user can regain system 
access easily. However, the security of this system depends heavily on the security 
of the email server, and therefore, this system is uninteresting from our point of 
view. 

There is quite a lot of research on more sophisticated PR methods that do not 
fully trust the server. One approach is to use secret sharing [2,18]. This solution 
divides a password into n shares (that are stored on trusted servers) in such a 
way that for the reconstruction, it is necessary to collect at least a threshold t 
of these shares. However, the user still needs to authenticate somehow to the 
servers, and therefore this system does not fully solve our problem. 

In [7] a PR system, based on personal entropy^ is proposed. In this system, a 
user is asked some questions about his personal history during password registra- 
tion. The system generates a random secret key, and encrypts the real password 
with it. Subsequently, the answers given by the user are used to "encrypt" the 
random secret key. The user then stores the questions, the "encryption" of the 
secret value, and the encryption of the password on his computer. A secret 
sharing scheme is used to enable password recovery, even if some questions are 
answered incorrectly. The drawback of this scheme is the lack of a rigorous se- 
curity analysis. In fact, [3] demonstrates a serious weakness of this scheme: with 
the parameters recommended for a security level of 2^^^, the system is in fact 
vulnerable to an attack that requires only 2^^ operations. 

The ideas from [7] were improved in [9]. This improved password recovery 
uses error-correcting codes instead of a secret sharing scheme. A rigorous security 
analysis is performed in the chosen model. The solution of [9] uses techniques 
that are very close to secure sketches. 

Secure sketches and fuzzy extractors (described e.g., in [6]), and their robust 
versions [12, 15], are cryptographic tools useful for turning noisy information into 
cryptographic keys and securely authenticating biometric data. They may also 
be used to solve the password recovery problem. However, contrary to intuition, 
it seems hard to use these cryptographic primitives to solve password recovery 
in our most secure model, as show in Section [S] 

We believe that [7, 9] are a significant step towards a practical PR solution. 
However, such so-called local PR systems are vulnerable to attackers that steal 
the recovery data from the user's machine (which is quite often inadequately 
secured) and then mount an offline brute force attack to recover the password. 
To avoid this scenario, we introduce client-server password recovery, in which the 
recovery data should be stored at the server, and PR should be integrated into 
the login procedure. In such a setting (under the more reasonable assumption 
that the recovery data cannot be stolen from the secure server) an attacker can 
only perform an online brute force attack. Security then can be increased by 
limiting the number of tries per account, or increasing the response time. 

Our contributions are the following. Firstly, wc introduce the password re- 
covery problem and the client-server PR security model, together with a short 
analysis of password authentication systems, in Section [2l All our client-server 
PR systems apply to a simple (low entropy) password login system. In all these 



PASSWORD REGISTRATION: 
Client (login, p = pi, . . . p„; Pi £ IS>): Server (database DT): 

1) Chooses a cyclic group G with gener- 
ator g, like in Section[5] (q, g, g'"'-"-) -^2) STORE(DT, (login, q, g, g'''^^^)) 

LOG IN: 

Client (login, p' = p[, . . .p'^; p\ £ D): Server (database DT): 

1) login — > 2) (q,g,d) = LOOK-UP (DT, login); 

<— 3) Chooses random b = g'^ and sends it. 
4) _> 5) If bfa(p') ^ then ACCEPT else REJECT 

Fig. 1. challenge-response password authentication system 

PR systems, the client is stateless, and all recovery data is stored at the server. 
Our solutions reduce the entropy somewhat, but are still more secure than other 
approaches. Moreover, our ideas can be straightforwardly applied to the per- 
sonal entropy system, as shown in Subsectioir 12.21 making the recovery phase 
more secure. Wc elaborate on using secure sketches and fuzzy extractors for PR 
in Section [31 Subsequently, we present a new algorithm (Section 2]) for local PR 
that is based on intraceability Assumption 2 from [14]. In Sectionl^l we introduce 
a new variant of threshold encryption [5,8,17], called equivocal threshold encryp- 
tion, that does not provide validity proofs for the decryption shares. Combining 
these two, we present protocols for client-server PR integrated into two classes 
of systems for password based login: the most common, hash based one in which 
the server keeps hashes of passwords but receives cleartext passwords during 
the login phase (Section [5]), and the most secure solution, based oir challenge 
response, in which the server never sees passwords in clear at all (Section [7]). 
Moreover, in Appendix El we briefly present a simple substring-knowledge PR 
working in the challenge response setting. Furthermore, all our password recov- 
ery systems can be easily modified to work as password reset systems. Due to 
space constraints we omit these easy transformations. 

Due to space constraints in this version of the paper, proofs of security and 
correctness of the presented protocols are short and informal. 

2 Password Recovery Model 

In this section we discuss the kinds of password authentication (PA) systems for 
which we consider password recovery, define exactly what we mean by password 
recovery, and talk about the kinds of adversaries our protocols need to withstand. 

2.1 Password Authentication (PA) Systems 

Two kinds of participants are involved in PA systems: users (also called clients) 
and servers. Clients have a username (also called login) and a password 
p=Pi , ■ ■ - Pn, where pi € 1} and D is the domain of characters of passwords (ID 
is usually small, e.g., ]D] w 100). For simplicity, we assume that clients always 
remember their logins, and that the length of the password n is fixed for all users. 



Initially, a client registers himself (in the registration phase) with the server 
by submitting a username and an authenticator (derived from the password), 
which the server stores in its database. Subsequently, the client can authenticate 
(in the log in phase) to the server using his username and a proof of knowledge 
of the password. The server, using the authenticator from the database, and the 
proof of knowledge, can efficiently verify that the user knows the corresponding 
password. We distinguish three different PA schemes with respect to the security 
requirements. These systems differ in the way that authcnticators and proofs of 
knowledge are defined: an authenticator can be equal to a password, a proof 
can be equal to a password (this is the case in hash based systems, where the 
server stores hashes of passwords), or neither of the above (which is the case for 
challenge-response type systems, an example of which is presented in Figure [T]). 

The password recovery for the first system is trivial (because the server stores 
passwords in clear), and we omit it in this paper. The PR solutions for the other 
two PA systems are presented in Sections IH] and [71 respectively. 

2.2 Client-Server Password Recovery (PR) 

A system for client-server PR has the same participants and log in routine as a 
PA system. Moreover, it provides an additional routine called password recovery 
(PR), in which the client tries to recover the lost password. The password reg- 
istration is also modified: besides submitting the login, and the authenticator, 
it also submits the recovery data. The client's input in the PR phase is login 
and a perturbed (incorrect) password p'=Pi, ■ ■ -p'n, while the server's input is 
the database with the logins and the registration data. Local password recovery 
is similar to client-server password recovery, except that the recovery data is 
stored locally at the client, and the recovery protocol is run locally at the client. 

The requirement is that the client recovers the password, if and only if, 
p' is similar to the password p corresponding to his login. To be precise, we 
define similarity between strings x and y as x ~t y {x matches y) , if and only if, 
t < \{i € {1, . ■ .n} : Xi = yi}\. We assume that the parameters n and t are public. 

Note, that having partial knowledge of the password is a very similar recovery 
condition to the personal entropy one [7,9]. In the personal entropy system the 
client needs to answer some threshold of questions (i.e., t out of n questions) to 
recover the password. The answers to the questions can be considered as an addi- 
tional password, where every single answer can be treated as a letter. It is easy to 
transform our systems to work with an auxiliary password, and therefore, with 
personal questions. We skip these straightforward transformations in this paper. 

We develop our protocols based on the following assumptions. We assume 
existence of the secure channels between the server and clients (which can 
be achieved using TLS connections). We work in the Random Oracle Model 
(ROM) [1], which means that we assume that hash functions work like random 
functions. Moreover, we use keyed hash functions, also called message authenti- 
cation codes (MACs), of the form I) : {0, 1}'' x © ^ F, where F is a field. The 
first parameter of () is a random string of length k (the security parameter) . For 
simplicity, we often omit this parameter in our descriptions. 



We look for efficient protocols, i.e., 0{nk), at the server side (because many 
clients might want to perform password recovery simultaneously), but we do 
allow a certain time penalty at the client side. 

2.3 Adversaries and Security Requirements 

All our client-server protocols defend against an adversary impersonating a 
client. Such an adversary is computationally bounded by k (but not by n log |D|) 
and is malicious [11], which means he can disobey the protocols routine. This 
adversary tries to break a server's privacy that can be informally defined as fol- 
lows. The impersonator, after any number of unsuccessful PR runs, can recover 
more information about the password, than following from the fact that the PR 
invocations failed, only with a negligible probability in k. Notice however, that 
this adversary can always perform an online brute force attack on the PR routine 
(even using the password's distribution). But this is easily mitigated by adding 
timeouts or allowing only a fixed number of tries before blocking an account. 

We also consider an adversary accessing the server's database in all our client- 
server protocols. We model this adversary differently than the one impersonating 
client, because this adversary can perform offline brute force attack using the PR 
routine. Therefore, we define the adversary to not know the password distribution 
and to be computationally bounded with respect to k and the parameters n, t, 
|]D)| (in a way that the problem from Assumption 14.11 is hard). The adversary 
tries to break a client's privacy that can be informally, defined as follows. For 
every two passwords p' and p" , the corresponding two PR data instances are 
indistinguishable. An adversary accessing local PR (see Section [4]) is defined in 
the same way. 

Only the challenge-response protocol (Section [7|) is resistant against a fully 
corrupted server. The adversary corrupting the server is computationally bounded 
by k and tries to gain information about client's password guesses from the data 
received in PR runs. We assume that this adversary is malicious in the sense, 
that he performs any actions to break the guesses privacy. However, there is no 
point for him to alter the client's output: the client can easily verify correctness 
of the recovery by logging in. This approach is very similar to private computa- 
tion from [14]. The guesses privacy can be defined as follows: from a PR run the 
adversary gains negligible knowledge about the client's guess. 

3 Problems with Using Robust Fuzzy Extractors and 
Secure Sketches for Chent-Server PR 

In this section we show the main problems of using secure sketches or fuzzy 
extractors solving client-server PR in our strongly secure model. Secure sketches 
and fuzzy extractors (see [6]) can be used for turning noisy information into 
cryptographic keys and securely authenticating biometric data. 

Now, let's define secure sketches and fuzzy extractors. Let F be a field, n £ N, 
and A a Hamming distance function in F". An (F", m, m', r)-secure sketch is a 
pair of procedures, "sketch" (5* 5") and "recover" (i?ec), with the following prop- 
erties. Firstly, SS on input w S F" returns a bit string s G {0, 1}*. Secondly, 



the procedure Rec takes an element w' G F" and a bit string s e {0,1}*. 
The correctness property guarantees that if A{w,w') < r, then Rec(w', SS{w)) 
equals w. The security property guarantees that for any distribution W over F" 
with min-entropy to, the value of W can be recovered by the adversary who 
observes s, with probability no greater than 2^™ . 

An (F", TO, Z, r, e)-fuzzy extractor is a pair of procedures, "generate" (Gen) 
and "reproduce" (Rep), with the following properties. Firstly, the procedure Gen 
OIL input w G F" outputs an extracted string R G {0, 1}' and a helper string 
P G {0, 1}*. Secondly, Rep takes an clement w' G F" and a string P G {0, 1}* 
as inputs. The correctness property guarantees that if A(w,w') < r and P 
were generated by {R,P)~Gen{w) then Rep{w' , P)=R. The security property 
guarantees that for any distribution W over F" with min-entropy to, the string 
R is nearly uniform even for those who observe P. A robust version of fuzzy 
extractor additionally detects whether the value P got modified by an adversary 
(which is essential in the biometric authentication). 

Secure sketches can be used to solve local PR (Section^]) and client-server PR 
from Section[ni Roughly speaking, the first case is close to the approach from [9]. 
Let's consider the second case. The client produces s=SS{p) of his password p 
and sends it to the server, who stores s. When the client invokes the PR routine 
by sending p' then the server runs p" =Rec{p' , s) and if p' k.^ p" then the server 
sends back p" . This solution is sound and secure, i.e, the server can guess p with 
probability no greater than 2"™ . However, we do not see a way to transform 
this solution to the challenge response model, because in this model the server is 
not allowed to sec the password's guesses. We leave finding the transformation 
of this solution to the challenge response model as a future work. 

It would appear that Robust Fuzzy Extractors (RFE) can be used to over- 
come this problem in, for example, the following way. First the client produces 
{R, P)=Gen{p) and Eji{p) (where E is a symmetric encryption scheme, e.g., 
AES), and he sends P and Efi{p) to the server, who stores them. When the client 
invokes the PR routine, then the server sends the relevant P, Eii{p) to the client. 
Now, the client can recover R'=Rep{p' , P), and try to decrypt: Decii'{Efi{p)). 
This solution is sound and seems secure. However, in our security model this 
protocol gives too much information to the adversary impersonating the client, 
because it allows an offline dictionary attack. We remind, that the adversary is 
computationally bounded by k but not ?ilog|D|. Therefore, the adversary can 
simply guess I bits (notice, that practically always I < m < nlog |D|), and break 
the protocol. Other solutions based on RFE seem to suffer to the same problem. 

4 Local Password Recovery 

As explained in the introduction, a client of local password recovery, similarly 
to [7,9], keeps the recovery data on his machine (there is no server). The client 
generates the recovery data and later on, tries to recover the lost password from 
the password guess and the recovery data. In Figure [2] we present a solution for 
local PR. Its security is based on the following intraceability assumption derived 
from [14], which is related to the polynomial list reconstruction problem. 



Password Registration: The input is p = pi, . . .pn, wlicrc pi G D, and |D| = m. 
The client: 

1. Generates v G_r {0, I}'', and n values {f)i(pi), . . . f)n(pn)}- Every i)i is a MAC 
with implicit first parameter v as described in Section [2.21 

2. Generates n random values si,...s„ G F in such a way that points 
{(f)i(pi), si), . . . {t)n{Pn), Sn)} define a polynomial P of degree t— 1, and P{0)—p. 

3. Returns: PR={v, {si — 0i(pi), . . . s„ — 0n(pn))}; each is a similar MAC to hi. 
Password Recovery: The input is: p' — p'l, . . .p'„, PR = {v, {s'l, . . . s'„}). 

1. The client computes set S = {(fli (pi), s'l + 0i(pi)), ■ ■ ■ {^n{p'„),s'„ + 0n(K))}- 

2. The client tries to reconstruct P from any subset of t elements of S (that is ("j 
checks). He checks whether for any potentially recovered polynomial P' the fol- 
lowing holds (letp"=P'(0)): p" «t p' and {(l)i(p'i'), s'i+0i(p'/)), • ■ • (f)n(K), < + 
011 (Pn))} defines a polynomial of degree n. If it holds then he outputs p". If it 
does not hold for any P' then the client outputs 0. 



Fig. 2. Local Password Recovery 

The intraceability assumption. Let C^'"^ denote the probability of distribu- 
tion of sets generated in the following way: 

1. Pick a random polynomial P over F (denote |F| = /), of degree at most t, 
such that P(0) = a. 

2. Generate nm random values xi, . . . Xnm G F subject to the constraint that 
all distinct and different from 0. 

3. Choose a random subset S' of n different indexes in {l,...nm}, and set 
j/j = P{xi) for all i G S. For every i ^ S set yi to be a random value in F. 

4. Partition the nm {xi,yi) pairs in n random subsets subject to the fol- 
lowing constraints. Firstly, the subsets are disjoint. Secondly, each subset 
contains exactly one pair whose index is in S (hence yi = P{xi)) and ex- 
actly m — 1 pairs whose indexes are not in S. We denote these subsets as 
Si = {(a;(.j j) , j))}. Output the resulting subsets. 

The intractability assumption states that for any a, a' the two probability en- 
sembles C^"n, Cli°^ are computationally indistinguishable depending on the pa- 
rameters /, t, TO, and n. 

Assumption 4.1 (Assumption 2 from [14]) Let k he a security parameter, 
and let ri{k), m{k), t{k), f{k) be at least linear polynomially bounded functions 
that define the parameters n, m, t and f . Let C*'"„ and C^;"^ be random variables 
that are chosen according to the distributions C^'^ and C^'m, respectively. Then 
it holds that for every a, a' G F, the probability ensembles C^''^ and C^'^ o,re 
computationally indistinguishable. 

In our applications the assumption's parameters are set as follows: n and t like 
in PR, TO = |]D>| and F = Zg, where q is large prime. One may argue that n, t and 
|]D)| are relatively small parameters (e.g., n is the length of passwords) and that 
they might not deliver good security to the system. However, notice that in the 



personal entropy setting (i.e., the quest ion- answer setting) the parameters can 
be significantly enlarged. Moreover, we are not aware of any algorithm solving 
the assumption problem (i.e., finding a) in our setting faster than by guessing t 
proper points. 

We arc conscious that for similar problems there exist fast solutions. For 
example, if in the above problem all a;(i — i then the problem can be solved 
fast (see [3,4]). However, these fast algorithms do not solve the problem from 
Assumption 14. 1[ as stated in [14]. 

The local PR solution. Now we describe the protocol. In the first step 
the client prepares PR data: v and {si — 0i(pi),...s„ — Snipii)}, such that 
{(f)i(pi), si), . . . , (f)n(Pn), Sn)} define a polynomial P of degree t — 1, for which 
P(0) = p. Here, i)i,gi are hash functions (see Figure [2]). Afterwards, the client 
forgets the password, and tries to recover it from S = {(f)i(pi),si — Qi{pi) + 
fli(pi)), . . . , (f),i(p„), Sn-Qn{Pn)+Qn{p'n))}- Ifp ~t p' thcu hc obtalus in S at least 
t proper points belonging to P, and can derive the password P{0)- Otherwise, 
informally speaking, the client needs to solve the problem from Assumption 14. II 

Theorem 4.2 (Local PR Security). An adversary A attacking PR from Fig- 
ure\^ first produces two passwords po,pi, and sends them to an oracle. Then the 
oracle chooses b Er {0, 1}, performs password registration for ph, and sends the 
result back. Finally, A outputs his guess of b. 

A succeeds with some probability ^ + a. We denote his advantage as a. Work- 
ing in ROM, no A having non-negligible advantage exits under Assumption \4. 1\ 

Proof (sketch). Assume to the contrary that there exists an adversary A, that 
attacks our local PR with non-negligible advantage. Using A, we construct an 
adversary A* that breaks Assumption 14.11 Firstly, A sends Po,Pi to A* . A* for- 
wards them to an intraceability oracle (corresponding to Assumption [OJ- This 
oracle chooses b {0, 1}, and answers with n subsets Si = {{x(ij), y{i,j))} sam- 
pled from C*j''j'n|. Now A* sends to A: v Er {0, l}'^, and n random points in F: 
{ri, . . . r„}. A* defines random oracles (representing [)i and g^) in the following 
way: for all j E D and i E {1, . . .n}: ROtj^{j)=X(^i j-j and ROg-{j)=y(^i j) — ri. 
A* outputs the result of A. Notice, the importance of the implicit random pa- 
rameter V, which lets random oracles, for two different PR runs, have different 
outputs (even for the same password). 

Because of working in ROM, the distribution of A's input, created in such a 
way by A* for pi,, is identical to the distribution of the client's input created in 
password registration (from Figure [J) for pi,. Therefore, A*^s advantage is equal 
to A's advantage, and Assumption 14. II is broken. □ 

5 Equivocable Threshold Cryptosystem 

In this section we define an equivocable threshold encryption (TE) scheme, and 
we present a slightly modified threshold ElGamal scheme (based on [17], and the 



"normal" ElGamal scheme [10]) that is equivocable. Subsequently, in SectionslH] 
and [7] we use this scheme to solve the PR problem. 

In [8] a standard TE scheme consists of the following components. A key 
generation algorithm KG takes as input a security parameter k, the number of 
decryption servers n, the threshold parameter t and randomness; it outputs a 
public key pk, a list ai, ... an of private keys, and a list vki , . . . t;fc„ of verification 
keys. An encryption algorithm Enc takes as input the public key pk, randomness 
and a plaintext m; it outputs a ciphertext c. A share decryption algorithm SD 
takes as input the public key pk, an index i G {1, . . . n}, the private key a,; and 
a ciphertext c; it outputs a decryption share c,; (called also partial decryption) 
and a proof of its validity pri. Finally, a combining algorithm CM takes as 
input the public key pfc, a ciphertext c, a list ci,...c„ of decryption shares, 
a list vki, . . . vkn of verification keys, and a list pri, . . .pr„ of validity proofs. 
It performs decryption using any subset of {ci, ...€„} of size t, for which the 
corresponding proofs are verified. If there is no such set then CM fails. 

An equivocable TE scheme consists of the same components as above, but: 
KG does not produce verification keys, SD does not produce validity proofs, 
and validity proofs are not part of CM's input. Therefore, CM simply checks if 
a decryption is possible for any subset , . . . Cj^ (that is (") checks). 

A secure equivocable TE scheme should fulfill the standard TE security def- 
inition called threshold CPA [8]. Notice, that omitting validity proofs does not 
help a malicious combiner to decrypt, because he possesses less data than for 
standard TE. A secure equivocable TE scheme moreover has the following prop- 
erties. After any number of CM invocations, a malicious combiner (which does 
not know any secret shares) gains no information about: (1) the plaintexts in un- 
successful runs (semantic security) and (2) the shares used in unsuccessful runs 
for producing partial decryptions. We formalize this intuition in Dcfinition l5.ll 

Definition 5.1 (Equivocable Security). Define an oracle O. Firstly, O per- 
forms algorithm KG (for the parameters stated above). Then O can be accessed 
by the following procedures: 

S{m); returns: an encryption c of m, and correct decryption shares ci, . . .c„. 
J(m, ii, . . . it-i), where ii, . . . it~i £ {1, . . . n} and \{ii, . . . it-i}\ = i ^ 1/ pro- 
duces an encryption c of m, and xi,...Xn, where Xi = = SD{pk,i, at, c) if 
i 6 {ii, . . .it-i}, and Xi = SD{pk,i,ri,c) (where ri is a random value) other- 
wise; returns c, xi , . . . x„ . 

F[m); returns c, SD(pk, 1, ri), . . . SD(pk, n, r„, c); every ri is a random value. 
First game (corresponds to property 1): 

1. O invokes KG, and sends a public key to a malicious combiner Ci. 

2. Gi sends a message m to the oracle O, which returns S{m). This step is 
repeated as many times as the combiner wishes. 

3. Gi chooses mo, mi and sends them to the oracle. 

4. Ci chooses ii, . . . it^i G {1, • . . n}, and sends them to O, which chooses b 
{0,1}. Then O sends back I{mb,ii, . . .it-i). This step is repeated as many 
times as the combiner wishes. 

5. Ci repeats Step\^ and finally, outputs his guess oft. 



No polynomial time adversary Ci guesses b with a non-negligible advantage. 
Second game (corresponds to property 2): 

1. O invokes KG, and sends a public key to a malicious combiner C2. 

2. The same like Step [H 0/ Ci . 

3. C2 chooses m and sends it to the oracle. 

4. C2 chooses it-i G {1, • ■ • n}, and sends them to O, which chooses b Gu 
{0,1}. Then O sends back I{m,ii, . . .it-i) if b = 0, and F{m) otherwise. 
This step is repeated as many times as the combiner wishes. 

5. C2 repeats Step\^ and finally, outputs his guess ofb. 

No polynomial time adversary C2 guesses b with a non-negligible advantage. 

5.1 ElGamal Equivocable TE Scheme 

In this section we introduce our version of the ElGamal scheme and prove that 
this version is securely equivocable. 

Let G =<(?> denote a finite cyclic (multiplicative) group of prime order q 
for which the Decision Diffie-Hellman (DDH) problem is assumed to be infea- 
sible: given g^^^g^Tg^, where either g'' G_r G (Gi?, means that a value is chosen 
uniformly at random from a set) or a/3 ~ 7 mod q, it is infeasible to decide 
whether a/3 = 7 mod q. This implies that the computation Diffie-Hellman prob- 
lem, which is to compute 17"^ given g",g^ Gr G, is infeasible as well. In turn, 
this implies that the Discrete Log problem, which is to compute log^ h = a given 
g°' Er G, is infeasible. We use the group G defined as the subgroup of quadratic 
residues modulo a prime p, where q — (p — l)/2 is also a large prime. This group 
is believed to have the above properties. 

In the ElGamal scheme the public key consists of g, a generator g of G, and 
h = g", while the private key is a G {0, ... g — 1}. For this public key, a message 
m G G is encrypted as a pair (a, 6) = {g^,mh^), with r Er Zg. Encryption 
is multiphcatively homomorphic: given encryptions (a, 6), {a',b') of messages 
m,m', respectively, an encryption of m * m' is obtained as (a, 6) * {a',b') = 
{aa', bb') = [g^^^ ,m*m' * h^~^^ ). Given the private key a = log^ h, decryption 
of (a, 6) = {g^,mh^) is performed by calculating 6/a" = m. 

ElGamal semantic security can be defined using the following game. An or- 
acle first sends pk ~ (g, g, h) to an adversary. Then the adversary sends plain- 
texts mo, mi G G to the oracle, which answers, for b G_r {0, 1}, with {g^ , mth^). 
Finally, the adversary guesses b. The scheme is semantically secure if the adver- 
sary's advantage is negligible. The ElGamal scheme achieves semantic security 
under the DDH assumption. 

In this paper we use a {t, 7i)-threshold ElGamal cryptosystem based on [17], 
in which encryptions are computed using a public key pk — {q,g,h), while de- 
cryptions are done using a joint protocol between n parties. The ith party holds 
a share a^ G of the secret key a = loggh, where the corresponding hi = g"* 
can be made pubhc. As long as at least t parties take part, decryption succeeds, 
whereas less than t parties are not able to decrypt. 

We set the shares as follows: the dealer makes the polynomial 
/(^) — Si=o '^i^* mod g, by picking Oi Er Zg (for < i < t) and oq = 



/(O) = a. In the original scheme, the ith share is on = f{i), while in our scheme 
at ~ f{xi), and each Xi Er is made public. The schemes security is based on 
linear secret sharing [18]: t points of a polynomial of degree t — 1 are sufficient 
to recover the polynomial and less points give no knowledge about /(O). 

The reconstruction of plaintext can be performed in the following way. For 
some c = {g^yTnh^), it is required to have t proper partial decryptions 17'""' and 
Xi, which can be combined to compute (for any xq)'- 

^-■/(-o) ^ -Q ^-,Af„„ mod p where Af„,,= [] ^^T^ ^ ^9 (1) 
ies i'£S\i 

Hence, because //(o) can be computed, c can be decrypted as follows: mh^ / g"^" = 
m. Equation [T] describes a polynomial interpolation in the exponent. 

We now show that our TE scheme is equivocable with respect to Definition lS.ll 
under the DDH assumption. For simplicity, we assume that the combiner receives 
only the data from unsuccessful invocations. However, the successful ones can 
be handled in a similar way to the security proof of [17]. We prove some lemmas, 
and then based on them we show that our scheme is equivocable. 

Lemma 5.2 (Run Independence). We define the following game. Firstly, 
an adversary A gets from an oracle a public key pk = {q,g,g'^), and param- 
eters t, n. Secondly, the oracle: chooses b €r {0, 1}, prepares a list of shares 
{(xi, ai), . . . a^)} with secret key a, and sends xi,...Xn to A. Then, A 
chooses two plaintexts po andpi, and sends them to the oracle. Now, A repeats as 
many times as he wishes the following step: A chooses any ii, . . . it-i G {1, . . . n} 
and sends them to an oracle, which returns: g^,Pb * 9^°' ^ 9^ °'^^ t ■ ■ 9^°''*"^ y 
where r G_r Zg is chosen by the oracle. Finally, A outputs his guess oft. 

No polynomial adversary A guesses b with non-negligible advantage under the 
DDH assumption. 

Proof (sketch). Assume that A asks the oracle for partial decryptions at most d 
times (where d is polynomial in k) . For simplicity, we assume here that n = t = 2 
and d ~ 2. The proof for greater n, t, and d can be made similarly. 

Assume to the contrary that there exists an A, that wins the game with a non- 
negligible advantage a. Using A we construct an adversary A* that breaks the 
ElGamal semantic security. Firstly, A* receives a public key pk — [q, g, g°') from 
a "semantic security" oracle, and forwards it to A. A* also generates xi,X2 &r 1'q 
and sends them to A. Then A chooses plaintexts pQ,p\, and sends them to A* . 
Subsequently, A* forwards them to the oracle, which answers with g^^ ,Pbg^^°'. 
Now, A* chooses j Gr {0,1} and aj e_R Zq. A* computes, using Equation [H 
such that points: {(0,a), {xi,ai), {x2,oi2)} define a polynomial of degree 

1. Then A* chooses b' G/j {0, 1}, and a random permutation tt : {1, 2} {1, 2}. 

Subsequently, A asks for partial decryptions. When A asks eth time (1st or 
2nd time) and 7r(e) = 1 Aii = j then A* answers: g^^ , Pb * g^^" , g^^"^ ■ If 7r(e) = 1 
and ii ^ j then A* halts and outputs a random bit. Eventually, if 7r(e) ^ 1 then 
A* sends to A (for r Er 1q): g"" ,pb' * Finally, A* returns A's output. 

Notice that in the case 7r(e) = 1, the probability that ii ^ j (and the attack 
stops with a random output) is ^. Assume that it does not happen. Note, that if 



b' = b then A's input is well constructed and the probability that A outputs b is 
^ + a. Otherwise, because of the random permutation tt, A's input is distributed 
independently of b (even if the adversary asks less than d = 2 times). Thus, 
the probability of A guessing correctly is i in this case. Therefore, the ^*'s 
advantage is a/4. □ 

The proof for greater n and t is easy: A* can simply produce more data 
Qj. In the case of d > 2, the proof is modified as follows. A* chooses randomly 
t—1 indexes and the corresponding shares. Then A* chooses b' €r {0, . . . d — 1}, 
and constructs the answer to the eth question of A (1 < e < d) as follows. 
If 7r(e) = 1 (tt is a random permutation of set {l,...d}) then, if A* knows 

, . . . Q!ij_j , then A* answers with ,Pb * g''", g''"'! , . . . g'^"''-^ . If 7r(e) = 1 and 
A* does not have corresponding shares then A* finishes and outputs a random 
bit. Otherwise (7r(e) > 1), A* answers (using Equation[T]) with: 

ra ra,, re,- \x^0 if7r(e)-l<fe' 

I a; = 1 otherwise 

Finally, ^'s result is returned by A*. 

This construction ensures that ^'s input is either well constructed or, because 
of the permutation tt, is produced independently of b. The probability of not 
returning a random bit (when 7r(e) = 1) is l/(("]^), and is non-negligible in k. 
Details of this constructions are quite straightforward, and we omit them here. 

Lemma 5.3 (Run Indistinguishability). We define the following game. 
Firstly, an adversary A gets from an oracle a public key pk — (<?, .9,5"); o,nd 
parameters t, n. Secondly, the oracle: chooses b {0,1}, prepares a list of 
shares {(xi, ai), . . . (a;„, ««)} with a secret key a, and sends Xi, . . .Xn to A. Now, 
A repeats as many times as he wishes the following step. A chooses a set I = 
{zi, . . . it-i} (where each if G {1, . . . n} and \I\ = t—1) and sends it to the oracle. 
J/6 = then the oracle chooses r Czr and answers with: g^ , g^" , g^"^^ , . . ■5'^"*' . 
Otherwise the oracle chooses r,ri,...rt-i Gr 1q and answers with: 
gr gra grr2^ . . . g^^*~^ . Finally, A outputs his guess of b. 

No polynomial adversary A guesses b with non-negligible advantage under the 
DDH assumption. 

The proof sketch of this lemma is in the Appendix [Bl 

Corollary 5.4. We define the following game. Firstly, an oracle: chooses 
b G_R {0, 1}, generates a public key pk = {q,g,g°'), and a list of random elements 
(in TLq): {(xi, ol\), . . . (x„, a;)}. Secondly, the oracle sends I, pk, and xi, . . .xi to 
an adversary A. The following action is repeated as many times as A wishes: if 
6 = then the oracle chooses r G_r Zq and sends to A: g^ , g^°' , g^"^ , ■ . . g™' . 
Otherwise the oracle chooses r,ri, . . .ri £r and sends: g^ , g^°' , g^^^ , ■ ■ ■ g^^' ■ 
Finally, A outputs his guess ofb. 

No polynomial adversary A that guesses 6 with non-negligible advantage exists 
under the DDH assumption. 



Proof. Follows directly from Lemma 15.31 for parameters t — I and n = I + I. □ 



Now based on Lemmas 15. 2[ 15. 3[ we show that om- TE scheme is equivocable. 



Theorem 5.5 (ElGamal Equivocable TE Scheme). The ElGamal TE 
scheme described above in Section [57l\ is equivocable with respect to Definition \5.1\ 
under the DDH assumption. 

Proof. Successful combining invocations can be handled like in the security 
proof from [17]. This theorem, for unsuccessful invocations, follows directly from 
Lemma [52] for the first game, and from Lemma [5751 for the second game. □ 

6 Password Recovery for the Hash based PA System 

In this section we present solutions that work for the most widely used PA 
system. We present first a simple and secure PR scheme, that has a functional 
drawback: the server's time complexity is too high for many scenarios. Secondly, 
we show the solution that eliminates this drawback. 

6.1 Simple PR System for the Hash based PA System 

In the simple PR system the server performs all important security actions. 
During the registration the client sends to the server the login, and the password 
p. The server generates the local PR data, like in Section [H Later, if the client 
wants to recover p, he sends a perturbed password p' to the server, who runs the 
local PR routine (Section d]). If the recovery was successful then p is sent to the 
client and the request is rejected otherwise. The correctness and the security of 
this protocol follows directly from the corresponding local PR properties. 

Notice, that the client's privacy is not protected during protocols run (the 
server even knows the result of PR). Furthermore, there are two significant draw- 
backs: (") checks on the server side, and we do not foresee any way to transform 
this protocol to work in the securer, challenge-response model. These problems 
are solved in Section [621 

6.2 Improved PR System for the Hash based PA System 

We improve the simple PR scheme by combining the equivocable TE scheme 
(Section[5]) with local PR. In this solution, the client checks whether the password 
recovery is possible. Therefore, the server's time complexity is efficient. The 
improved PR system is presented in Figure [31 

During registration the client first produces a public key (9,5,5") of the 
equivocable TE scheme, with the corresponding secret key a and computes an 
encryption c of the password p. Subsequently, he generates the PR data: se- 
cret values vi , V2 (they have the same meaning as v in local PR) and points 
{ii)i{pi),ai - 0i{pi))\i e Ah the points {(f)i(pi), a^)} together with 

(0, a) define the polynomial of degree t—1. This construction is very similar to the 
local PR registration. The client also produces the login and the hash of the pass- 
word for the PA system. Then all these data are stored on the server. Intuitively, 
the server cannot recover more than in local PR, because he stores the local PR 
data and an encryption of the password under the secret of the local PR data. 



PASSWORD REGISTRATION: The client's input is: login and p = pi, . . .p„ 

{pi £ D); the server's input is his database. 

1. The client chooses vi,V2 £r {0, 1}'' and 

2. generates a public key of the (t, n)-TE scheme (Section [Sjl ; pk = {q, g, h—g""). 
Then he generates shares; (2:1, ai), . . . (a;„, a„) € of the secret key a, where 
Xi = f)i(pO- f) is MAC (described in Section [2. 2p with implicit parameter vi. 

3. The client computes encryption of the password p: c — {g^ ,p * h^), and 

4. produces PR={pk,vi,V2,c, {qi — 0i(pi), ...a„— gn{p,i)}); is MAC with im- 
plicit parameter v^. Then he sends {login, H{p),PR) (H is from the PA system). 

5. The server stores {login, H{p), PR) in his database. 

LOG IN: The client sends his login, and p to the the server, which accepts the 
client if H{p) is equal to the corresponding value from the database. 
PASSWORD RECOVERY: The client's input is: login and p' =p[,...p'„ (p- £ 
D); the server's input is his database. 

1. The client sends {login, p') to the server. 

2. The server performs: 

(a) finds PR={pk,vi,V2,c, {j/i, . . .yn}) corresponding to login in the database. 

(b) re-randomizes c = {a, b) , hy c' = {a * g^ , b * ) . 

(c) produces n potential partial decryptions of c': Vig{i....„}Ci — a'"'^^''*'''. 

(d) sends pk, c' , and the partial decryptions {c'l, . . . c'„} to the client. 

3. Using {(f)i(pi), c'l), . . . (f}„(p„), c^)}, the client performs a CM invocation from 
Section [5l If a decryption p" matches p' then the client outputs p". 



Fig. 3. Improved PR for UNIX-based Log In 

If the client forgets the password then he invokes the PR routine by sending 
the login and a guess p'. Subsequently, the server produces, using the homo- 
morphic property, a new encryption c' of p. Afterwards, the potential partial 
decryptions {c'- = (JV^+^a^Pi^ | j g {1, . . . n}} are produced. Notice, that if p'^ = Pi 
then {t)i{pi), c'^) is a proper partial decryption of c'. Later on, the server sends 
Vi (so the client can compute I)), c', and Ci,...c'^. If p' ~t P, then the client 
can easily obtain p, because he has at least t proper decryptions. Otherwise, the 
client does not have enough correct decryptions to obtain p. Moreover, because 
of the equivocable property of the TE scheme, the client cannot recognize which 
partial decryptions are correct from the data from many unsuccessful PR runs. 

vi and V2 are implicit parameters for \) and g, respectively, that are used to 
make different local PR data indistinguishable, vi is public (it is send to the 
client before any authentication), while V2 is not revealed to the client, so he 
cannot locally compute q. 

Correctness and Security. Correctness of the PR phase is straightforward: 
if p Kit p' then at least t partial decryptions are correct and thus, the client can 
decrypt c'. Otherwise, the client does not have enough partial decryptions of c'. 

Theorem 6.1 (The privacy of the client). An adversary A attacking the 
privacy of the client from Figure\^ produces two passwords po,pi, and sends them 
to an oracle. Then the oracle, chooses b {0, 1}, performs the registration for 
Pb, and sends the result back. Finally, A outputs his guess of b. 



Working in ROM, no A having non-negligible advantage exits under the DDH 
assumption and Assumption \4. 1\ 

Proof (sketch). Assuming that the DDH assumptions holds (and thus, the ElGa- 
mal is semantically secure), A can break the scheme only by gaining the secret 
of the local PR data. Following Theorem 14.21 if the local PR security is broken 
then Assumption 14.11 does not hold. 

Theorem 6.2 (The privacy of the server). Define an ideal situation to be 
one, in which an adversary tries PR by sending his guess p' of the password p 
to the server, who returns p if p' P, CLnd the empty string otherwise. Now, 
define a simulator as an algorithm that works in the ideal situation, and acts as 
a server to an adversary A attacking the privacy of the server. 

In ROM and under the DDH assumption, there exists a simulator I such that 
no adversary A can distinguish between I and the real server (from Figure 0] 
with non-negligible advantage. 

The proof sketch of this lemma is in the Appendix [C] 

Complexity. During the registration the client sends a public key, two secret 
values (of length k), the login, the hash of the password, an encryption of the 
password, and n perturbed shares. The complexity of this phase can be bound 
by 0[nk) bits. In the PR phase the server sends the pubhc key, an encryption 
of password, and n potential partial decryptions. This totals to 0{nk) bits. 

The registration is performed efficiently by the participants. In the PR phase 
the server's performance is fast (main load is n exponentiations), while the 
client's time complexity involves (") polynomial interpolations (Step [31). 

7 Password Recovery for the Challenge-Response System 

In this section we present a PR solution for challenge response login system, 
where the password or the guess of the password is never sent to the server. We 
combine the protocol from Section [6?2l with OT" oblivious transfer (see below). 
The challenge-response PR protocol is shown in Figure S) 

There are two participants in the OT protocol: Receiver, who wants to obtain 
some information from a remote database and Sender that owns the database. 
OT can be formalized as follows. During a 2-party 1-out-of-n OT protocol 
for l-hit strings {OT^-), Receiver fetches S[q] from the Sender's database S = 
{S[l], . . . S\n]), S[j] e {0,1}', so that a computationally bounded Sender does 
not know which entry Receiver is learning. Moreover, we assume information- 
theoretically privacy of Sender (it means that Receiver obtains only desired S[q] 
and nothing more). Such OT" scheme is presented in [13]. This OT protocol 
works in bit communication 0{k log^ n + 1 log n) , low degree polylogarithmic Re- 
ceiver's time computation and linear time Sender's computation. This is the 
fastest oblivious transfer protocol to the best of our knowledge. 

This system is very similar to the one from Section \Ql2\ However, the log in 
routine is different (i.e., the challenge-response one is used), and the PR routine 



PASSWORD REG.: like in Fig. [3 but instead of H{p), values g,g"^^'' are sent. 
LOGGING IN: like in the challenge-response PA system (Figure [TJ. 
PASSWORD RECOVERY: The client's input is: login and p = pi, . . .p^; Pi G 
D; the server's input is the database. 

1. The client sends {login, p') to the server. 

2. The server, using login, finds PR={pk,vi,V2,c, {yi, . . . yn}) in the database. 
Then he re-randomizes c = (a, b): c' = {a * g^ ,b * ) and sends vi, pk, c' . 

3. For i G {!,... n}, the client and the server performs OT^ protocol, where 
|D|=m and b is a partial decryption's bit size. The server acts as Sender with 
the database: 

S[j] = c"''^^'^'\ for all J e D 

and the client acts as Receiver with index q = pi. The client's output is S[q]. 

4. The same like Step |3] in PR from Figure El 

Fig. 4. challenge-response PR 

is a bit modified. The client does not send the guess p'=p[, ■ ■ - p'n directly to the 
server. Instead, he obtains partial decryptions corresponding to p' in an oblivious 
way, as follows. For each i £ {!,. ..n}, the server prepares a potential partial 
decryption c[ for all possible |D| letters (Step[3|). Then the client asks for partial 
decryptions for guess p'=Pi, ■ ■ - p'n by performing oblivious transfer n times: for 
every letter p'^ separately. In this way, the server does not gain information 
about p' , and the client cannot ask for more than one partial decryption per 
OT protocol. The protocol's security follows from the security of OT and the 
security properties of the scheme from Section 16.21 

7.1 Correctness and Security 

We give an informal intuition about the theorems and the proofs. The proof of 
the correctness and the privacy of the client outside the protocol runs arc the 
same as for the system from Figure |3l The proof of the privacy of the server 
is the same as the one for PR from Figure [3l assuming that the OT is secure. 
The privacy of the client during PR runs is maintained by using OT (the server 
cannot gain any information about the client guess p'l, . . .p'„). 

7.2 Complexity 

Only the PR phase is significantly different from the system from Figure [H The 
major pay load comes from n runs of 07^n[''' protocols. This can be bound by 

0(n(fc log^ |]D)| -hfelog|D|)) = 0(nfc log^ |]D)|) bits. The bit complexity of this PR, 
although greater than the one from Figure [3l is still efficient. 

In the PR protocol the time complexity of the client is relatively high and 
follows from (") polynomial interpolations. The main drawback of this protocol 
is the time complexity of the server, who acts as Sender in OT, using 0{n * |D|) 
operations. However, for the relatively small domain of letters D, and due to 
the fact that PR is performed rarely, this solution is still quite feasible. This 
drawback might be of greater impact if we use this protocol in the personal 
entropy setting (i.e., the question-answer setting), where |D| might be larger. 



8 Conclusions 



In this paper we have presented secure and efficient solutions for password re- 
covery, where the recovery data is stored securely at the server side. Our solu- 
tions apply to all common types of password authentication systems, without 
significantly lowering their security. We have introduced a variant of threshold 
encryption, called cquivocable, that serves as a building block to our solutions, 
and that may be of independent interest as well. 

Further research could be aimed at alternative definitions of password similar- 
ity, that also include reordering of password letters (which is a common mistake). 
Other issues that can be improved arc the (") time complexity at the client side, 
and the server's time complexity in the challenge-response protocol (Section [7]). 
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A Simple Substring-Knowledge Password Recovery in 
the Challenge-Response Setting 

In this appendix we present a simple and efficient substring-knowledge challenge- 
response PR scheme that uses an additively homomorphic encryption scheme. 
In order for a client to recover a password it needs to prove to the server that 
he remembers a substring of the original password. 

Let denote a homomorphic encryption function with a public key K . The 
homomorphic cryptosystcm supports the following two operations, which can be 
performed without knowledge of the private key. Firstly, given the encryptions 
[a]x and [&]if of a and h, one can efficiently compute the encryption of a -I- &, 
denoted [a-f 5];^ := [a]/f -f-^, [b]K- Secondly, given a constant c and the encryption 
[a]K of a, one can efficiently compute the encryption of c • a, denoted [a ■ c]k ■= 
[<Ak -h c. These properties hold for suitable operations +h and -h defined over 
the range of encryption function. An example of such an encryption scheme is 
Paillier's cryptosystem [16]. 

In the registration phase the client sends, besides data necessary for log- 
ging in, hi(j)i^t),h2(j)2.t+i),h„-t+i(j>„-t+i,n) (for simplicity, we denote p^^^, = 
) and Eh,{p, ,){p), ■ ■ ■ £^ff„_t+i(p„_t+i,„)(p), where Esk{-) is a symmetric 
encryption scheme and Hi, hi are hash functions. Notice, that to recover the 
password p, it is necessary to derive some hi{pi, . . .pi+t-i) or Hi(pi, . . .pi+t-i), 
and it (assuming ROM) is only possible by obtaining any substring p^, . . .pi+t-i- 

Later on, in the PR phase, the client produces a public key K of the homomor- 
phic encryption scheme, and sends it to the server together with 
[hi{p'i^i.)]K , ■ ■ ■ [h.n^t+i{Pn-t+i,n)]K ■ Then the server computes: {[(/ii(Pi,i+t_i) - 
hi{pi^i+t-i)) *ri+ EHi{pi^i^t_^){p)\K\i G {l,...n-t + 1}}, (where are ran- 
dom values), and sends this set to the client. The client decrypts the val- 
ues from the received set and checks if he can decrypt these values with any 
Hi{pi^t),H2{p2,t+i),Hn-t+i{Pn-t+i,n) (thcu he derives p). 

The scheme is correct, since if hi{p'i ij^t-i) — hi{pi,i+t-i) then the client ob- 
tains Effi^pi i+t_i)(p), and he can easily decrypt it. Otherwise, the value received 
is random (because are random) and therefore, the client cannot successfully 
decrypt. The privacy is protected by the security of the encryption schemes. 



B Proof Sketch of Lemma 15.31 



Notice that this game can be rephrased as follows. The oracle's first answer 
is always proper, i.e.: g'^ , g'^", g^^'i , . . . g^"^*-^ . Only the following answers are 
constructed either always properly (if 6 = 0), or always randomly. It follows 
from the fact that t random values (in the first oracle's answer) always define a 
polynomial of degree at most t — 1. 

Proof (sketch). Assume that A asks the oracle for partial decryptions at most 
d times (where d is polynomial in k). For simplicity, we assume that n ~ t = 3 
and d ~ 2. The proof for greater n, t, and d can be made similarly. 

Assume to the contrary that A winning the game with non-negligible advan- 
tage a, exists. Using A we construct an adversary A* that breaks the ElGamal 
security. Firstly, A* receives a public key (qjgjg"") from a "semantic security" 
oracle. Secondly, A* generates xi,X2,X3 €r and sends them to A. Then A* 
sends plaintexts po=l and pi S^j G to the oracle, which answers with g^^ , Pbg^^"- 

Now, A* chooses a random permutation tt : {1,2,3} {1,2,3} (we denote 
jf = 7r(/)), and picks aji,aj2 ^g- Then A* computes (using Equation [T|) , 
such (7"^3 that points: { (0, aj^ ) , {xj-^ , a) , {xj^ , Uj^ ) , (xj, , aj^ ) } define a polynomial 
of degree 2. We denote (for 1 < i < 3): = a if i = j, and a- = otherwise. 
A* sends a public key pk' = {q^gTg"^^^ ) to A. 

When A asks the first time (for partial decryptions) with ii,i2 then A* 
answers (for r G_r 1q) with: g^ , g^"'^ , g^°''i , g^"''^ . For the second A's question 
i'i,i'2, A* firstly checks whether {i'i,i2} 7^ {jiij2}- If it holds then A* halts 
and outputs a random bit. Otherwise A* first sends g'^^ , g^'^°'^ . Then A* chooses 
b' {0, 1}, and for every 1 < e < 2, acts as follows. If i'^ = ji then A* sends 
Pbg^^"' to A. If ig = j2 and b' = then A* sends g^^°'^2 . Otherwise {i'^ = j2 and 
b' = 1): g^^^ (for x &r Z,) is sent. Finally, A* returns the A's output. 

Notice that the probability that ij} ^ {^1,^2} (and that A* halts with a 
random output) is 1 — 1/(2). Assume that it does not happen. If & = &' then A's 
input is well constructed and the probability that A outputs b is ^+a. Otherwise, 
because of the random permutation tt, A's input is distributed independently of 
b. Hence, the probability of A guessing correctly is i in this case. Therefore, ^*'s 
advantage is 0/(2(2)), and is non-negligible. □ 

The full proof for this lemma is similar, but complex, and we omit it here 
due to the space constraints (the proof for d > 2 uses similar techniques as in 
the proof of Lemma 15. 2p . 

C Proof Sketch of Lemma 16.21 

Proof (sketch). We construct / that works only for unsuccessful PR invocations. 
The proof for a successful A's invocation can be made similarly. 

Firstly, / generates vi Gr {0, l}'^, a pubhc key pk = {q, g, g°'), y B", and 
shares {xi, ai), . . . {xn, an) G Zg^ of the equivocable TE scheme (Section[5]), such 



that Xi = f)i(pi). Later, when A sends his ith guess p\ then / forwards it to the 
"ideal" oracle. If the oracle's answer equals p then / halts. Otherwise / chooses 
r, ri, . . .r„ Gr Zq, and sends: wi, pk, c=[g'' ,yg''°'), {ci=g'~'~\ . . . Cn=g""^} to A. 

A can only submit the proper guess of the password (otherwise the server 
would recognize it). Therefore, A cannot break the protocol by disobeying the 
PR routine. Hence, now we only need to show that the A's view send by / is 
indistinguishable from the corresponding view in the real situation. 

Let's now consider A in the real situation (Figure Notice that, because 
A works in ROM. the data received by A in any d unsuccessful PR runs cor- 
responds to the data from d unsuccessful invocations of the algorithm CM in 
the equivocable TE scheme. The difference is that, here, A does not know which 
value \)i{pi) (for any pi S D) is a part of a share (i.e., equals Xi), while CM cor- 
rectly knows all Xi. However, Lemmas 15.21 15.31 a-nd Corollary [53] can be applied 
in A's case, because A has actually less information than the combiner CM . 

In every invocation A receives at most t — 1 correct partial decryptions. In- 
correct partial decryptions are created using values independent of a and ai, 
because if pj ^ p'^ then — Q.j {pj ) + Qj {p'j ) is random in Zq (in ROM) . There- 
fore, based on Lemma 15. 2[ A cannot recognize encryptions received in the real 
situation from encryptions received from /. 

Let p be any password from _D" encoded in G, and p^, . . .p'^ is any list of 
passwords not similar to p. Consider the following probability distributions of 
instances of the adversary's view: 

— 50.0 : A receives properly constructed data from the the PR routine (Figure[31) 
for his guesses p^, . . .p'^, and for the password p. 

— So.i- For every guess p*, A receives proper vi, pk, an encryption of p: c, and 
n values: if p^j ~ Pj (1 J ?^) then a correct partial decryption c^, and 
c'j GrG otherwise. 

— Si^i: similar to 6*0,1, but all c'j G (for every guess); Si^i corresponds to 
the view sent by /. 

We show that no algorithm D{p,p^, . . .p'^) can distinguish between an input 
sampled from Sq.o and an input sampled from 5*1,1 (under the DDH assumption). 
Define X)o,o as the probability that the output of S) is 1 given an input sampled 
from 5o,o- Similarly, we define J)i,i, S)o.i- It holds that 

|So,o - Si,i| < |So,o - So.il + |2)o4 - Si.il- 
Assume to the contrary that \Dq.o — S)i.i| is non-negligible. Then, either jSo.o — 
S)o,i| is non-negligible or |X)o,i — X)i,i| is non-negligible. In the first case, Corol- 
lary [53] does not hold. In the second case. Lemma [573l does not hold. Therefore, 
A cannot distinguish / from the real server under the DDH assumption. □ 



